Access control lists (ACLs) are used in many types of computer systems. For example, a computer file system may use an ACL to determine which users or system processes can access objects stored therein and what operations can be performed on the given objects. ACLs used by file systems, which may run on various operating systems, are referred to as file system ACLs. A file system ACL typically has a data structure (e.g., a table) that contains entries (which are referred to herein as “access controls”), each of which specifies an individual user or group their rights to specific system objects such as programs, processes, or files. In this disclosure, access controls implemented using such a file system ACL are referred to as file system-driven, user-based access controls.
Another type of ACLs may be found in networked devices such as server computers, routers, and switches. Referred to as networking ACLs, they generally contain rules for controlling network traffic based on, for instance, port numbers or Internet Protocol (IP) addresses of a host. In this disclosure, access controls implemented using such a networking ACL are referred to as network-driven, device-based access controls.
Existing access controls such as those described above have their drawbacks. For example, using existing file system-driven, user-based access controls, the ability to control access to documents or files stored in a file system ends at the document level. Any user who has the read and write permissions to a document can view and edit the entire document, regardless of what their role might be relative to the document.
For example, a corporate attorney and a human resource manager may work together to draft an employment agreement for a new employee. They both may have the read and write permissions to view and edit the entire employment agreement, even though in their roles (e.g., titles and/or job functions) as a corporate attorney and a human resource manager, they really should have access to only the portions of the employment agreement of which they are responsible for editing. However, since they both have the read and write permissions to view and edit the entire employment agreement, there is no way to prevent either from altering the portions of the document that are not relevant to them doing their jobs. This can be a significant security issue for documents produced in a collaborative environment.
One way to address this security issue is to define an access control policy (ACP) over an entire class of eXtensible Markup Language (XML) documents specified by an XML schema definition and enforce the ACP by encrypting regions of the document using cryptographic keys, as discussed by Müldner, Tomasz, Robin McNeill and Jan Krzysztof Miziolek in “Secure Publishing using Schema-level Role-based Access Control Policies for Fragments of XML Documents.” Presented at Balisage: The Markup Conference 2008, Montreal, Canada, Aug. 12-15, 2008. In Proceedings of Balisage: The Markup Conference 2008. Balisage Series on Markup Technologies, vol. 1 (2008), doi:10.4242/BalisageVol1.Muldner01. With this approach, a user in a particular role specified in the ACP is given a key so that the user can access the fragment of any XML document specified by the XML schema definition.
Such schema-level role-based ACPs require expensive operations such as key generation, encryption, decryption, etc. and involve complicated key management. Accordingly, there is a continuing need for innovations and improvements.